Bad Rabbit Ransomware: What are you doing to prepare?

It’s the third major outbreak of the year.

Since the popularization of ransomware circa 2007 the amount of attacks carried out by this method have increased exponentially. Entire ransomware suites have been developed in which an individuals with malicious intent can purchase their own customized ransomware package. Having in effect RaaS (Ransomware as a Service) capability means that for IT professionals, the threat of ransomeware isn’t going anywhere.

Method of Infection

In this latest version of Bad Rabbit that’s based on the Petya/Not Petya variant there is hope. Bad Rabbit is primarily seen being distributed by a fake flash update. The fake prompt asks the user to update flash player, which of course it not flash player at all. Once the user installs the “flash player update” the machine is now infected. This virus comes pre-loaded with a list of very simple usernames and passwords that it then uses to gain access to any available SMB1 shares. As is usual with most ransomware, the initial machine, and all additional infected devices have their files encrypted and a ransom demand is given.

Protection from Infection

As with Petya, disabling the use of the SMB1 protocol will reduce the malware’s attempt to move laterally across a network. If this isn’t possible due to legacy needs, the key then is isolation. As much as possible isolate any systems on your network that make use of the SMB1 protocol. Make sure you network is segmented, and not flat – this aids in slowing down the spread of a network based attack. As should always done, the principle of least privilege should be applied to your users and strong passwords should be employed.

Primarily, backups are key to surviving a ransomware attack somewhat unscathed. Make sure your backups are done according to best practices, and as frequently as required by your environment.

What are you doing to prepare?

As iron sharpens iron, so we can help each other…please join the conversation!

Are you worried about ransomware in your environment?

What are you doing to prepare your organization against it?

Have you been affected? What did you learn, and what are you doing differently now?